From d4ea56a77ef408347a9d73b36e8066334b8835ea Mon Sep 17 00:00:00 2001
From: friendica <info@friendica.com>
Date: Tue, 24 Sep 2013 05:20:29 -0700
Subject: reduce susceptibility to bleichenberger attack

---
 boot.php         |  1 +
 include/text.php |  2 +-
 mod/post.php     | 24 ++++++++++++++++++------
 version.inc      |  2 +-
 4 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/boot.php b/boot.php
index 346a0f926..ce7218013 100755
--- a/boot.php
+++ b/boot.php
@@ -1176,6 +1176,7 @@ function check_config(&$a) {
 		// our URL changed. Do something.
 
 		$oldurl = hex2bin($saved);
+		logger('Baseurl changed!');
 		
 		$oldhost = substr($oldurl,strpos($oldurl,'//')+2);
 		$host = substr(z_root(),strpos(z_root(),'//')+2);
diff --git a/include/text.php b/include/text.php
index 40df8bd89..be5e2338d 100755
--- a/include/text.php
+++ b/include/text.php
@@ -1312,7 +1312,7 @@ function get_plink($item) {
 	$a = get_app();	
 	if (x($item,'plink') && ($item['item_private'] != 1)) {
 		return array(
-			'href' => $item['plink'],
+			'href' => zid($item['plink']),
 			'title' => t('link to source'),
 		);
 	} 
diff --git a/mod/post.php b/mod/post.php
index 378192cbf..0e1884d85 100644
--- a/mod/post.php
+++ b/mod/post.php
@@ -174,18 +174,30 @@ function post_post(&$a) {
 	if(array_key_exists('iv',$data)) {
 		$data = aes_unencapsulate($data,get_config('system','prvkey'));
 		logger('mod_zot: decrypt1: ' . $data, LOGGER_DATA);
-		if(! $data) {
-			$ret['message'] = 'Decryption failed.';
-			json_return_and_die($ret);
-		}
+
+//	susceptible to Bleichenberger attack
+//		if(! $data) {
+//			$ret['message'] = 'Decryption failed.';
+//			json_return_and_die($ret);
+//		}
 
 		$data = json_decode($data,true);
 
 	}
 
 	if(! $data) {
-		$ret['message'] = 'No data received.';
-		json_return_and_die($ret);
+
+		// possible Bleichenberger attack, just treat it as a 
+		// message we have no handler for. It should fail a bit 
+		// further along with "no hub". Our public key is public
+		// knowledge. There's no reason why anybody should get the 
+		// encryption wrong unless they're fishing or hacking. If 
+		// they're developing and made a goof, this can be discovered 
+		// in the logs of the destination site. If they're fishing or 
+		// hacking, the bottom line is we can't verify their hub. 
+		// That's all we're going to tell them.
+
+		$data = array('type' => 'bogus');
 	}
 
 	logger('mod_zot: decoded data: ' . print_r($data,true), LOGGER_DATA);
diff --git a/version.inc b/version.inc
index 451a8e715..713343a75 100644
--- a/version.inc
+++ b/version.inc
@@ -1 +1 @@
-2013-09-23.445
+2013-09-24.446
-- 
cgit v1.2.3